Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec spd.conf automatic creation modification

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 607 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swalz
      last edited by

      Hi All,
      I have 2 Lan interfaces routing all traffic through an IPSec Tunnel.
      The LAN interface is still reachable from the LAN, however the OPT1 interface is not reachable due to the automatic added routes when a IPSec tunnel is created.
      I am using PFSense 2.1.5 as editing the routes for IPSec is impossible with 2.2

      The auto added routes which make the interface still reachable are generated through file: /etc/inc/vpn.inc
      from line 847 to 866 (see below:
      /* generate spd.conf /
      $spdconf = "";
      $natfilterrules = false;
      if (is_array($a_phase2) && count($a_phase2)) {
      /       Try to prevent people from locking themselves out of webgui. Just in case. */
      if ($config['interfaces']['lan']) {
      $lanip = get_interface_ip("lan");
      if (!empty($lanip) && is_ipaddrv4($lanip)) {
      $lansn = get_interface_subnet("lan");
      $lansa = gen_subnet($lanip, $lansn);
      $spdconf .= "spdadd -4 {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
      $spdconf .= "spdadd -4 {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
      }
      $lanipv6 = get_interface_ipv6("lan");
      if (!empty($lanipv6) && is_ipaddrv6($lanipv6)) {
      $lansnv6 = get_interface_subnetv6("lan");
      $lansav6 = gen_subnetv6($lanipv6, $lansnv6);
      $spdconf .= "spdadd -6 {$lanipv6}/128 {$lansav6}/{$lansnv6} any -P out none;\n";
      $spdconf .= "spdadd -6 {$lansav6}/{$lansnv6} {$lanipv6}/128 any -P in none;\n";
      }

      I am trying to modify the file so it does add this route for an OPT1 interface as well.
      Can someone help out? do I just change "lan" to "opt1" or what is the proper name PFSense uses to get these variables for an optional interface?
      And can I just put these lines below the initial lines?

      192.168.12.0/22 is my LAN interface
      10.11.15.0/24 is my OPT1 interface

      Basically what I am trying to achieve is to add these 2 lines to the spd.conf:
      spdadd -4 10.11.15.1/32 10.11.15.0/24 any -P out none;
      spdadd -4 10.11.15.0/24 10.11.15.1/32 any -P in none;

      These 2 lines below get autoimatically generated which makes it possible to still talk to the LAN interface when having an IPSec tunnel:
      spdadd -4 192.168.12.1/32 192.168.12.0/22 any -P out none;
      spdadd -4 192.168.12.0/22 192.168.12.1/32 any -P in none;

      Thanks
      Sebastian

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.